Reboot/fix/OIDC auth introspect #3183
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Pablo Hernán Carle <[email protected]>
Signed-off-by: Pablo Hernán Carle <[email protected]>
pablocarle
reviewed
Oct 20, 2023
| @@ -112,35 +127,6 @@ Use the following procedure to enable the feature to use an OIDC Access Token as | |||
|
|
|||
| ## Troubleshooting | |||
There was a problem hiding this comment.
I think we can refactor the current ones and mention that failure can occur if:
- JWK is not available or incorrectly configured.
- JWK was revoked by the authorization server and the update has not happened yet in the api ml (in this case configure better value for the refresh interval or restart api ml, or just wait)
Signed-off-by: Andrew Jandacek <[email protected]>
Signed-off-by: ShobhaJayanna <[email protected]>
janan07
reviewed
Oct 24, 2023
| - After successful validation of all authentication factors, the OIDC provider grants the client an Access Token. | ||
| - The client can then request from API ML Gateway the needed mainframe resources presenting the access token in the request. | ||
|
|
||
| - The Gateway validates the access token. |
There was a problem hiding this comment.
Is this statement necessary? The next statement repeats this with additional information...
janan07
reviewed
Oct 24, 2023
|
|
||
| - The Gateway validates the access token. | ||
|
|
||
| - The Gateway validates the access token by comparing the key id of the token against the key ids obtained from the authorization server's JWK keys endpoint,URL to end point should be set using the property jwks_uri. If the access token is validated, the outcome is cached for a short time (20 sec by default). |
There was a problem hiding this comment.
Review this sentence. I suggest this be two sentences.
"the key ids obtained from the authorization server's JWK keys endpoint,URL to end point should be set"
janan07
reviewed
Oct 24, 2023
|
|
||
| - The Gateway validates the access token by comparing the key id of the token against the key ids obtained from the authorization server's JWK keys endpoint,URL to end point should be set using the property jwks_uri. If the access token is validated, the outcome is cached for a short time (20 sec by default). | ||
|
|
||
| - The JWK Keys obtained from the authorization server's endpoint are cached for a while to prevent the repeated calls to the endpoint. It can be set using the property jwks.refreshInternalHours (it's 1 hour by default) |
There was a problem hiding this comment.
Please make "for a while" more specific. Perhaps, " The JWK Keys obtained from the authorization server's endpoint can be cached for a specified interval to prevent the repeated calls to the endpoint."
Signed-off-by: Andrew Jandacek <[email protected]>
Signed-off-by: sj895092 <[email protected]>
janan07
approved these changes
Oct 24, 2023
Signed-off-by: ShobhaJayanna <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Your checklist for this pull request
🚨Please review the guidelines for contributing to this repository.
If the changes in this PR is part of the next future release, make this pull request against the docs-staging branch which will be published at the next release boundary. If the changes in this PR are part of the current release, use the default base branch, master. For more information about branches, see https://github.com/zowe/docs-site/tree/master#understanding-the-doc-branches.
If this PR relates to GitHub issues in
docs-siteor other repositories, please list in Description, prefixed with close, fix or resolve keywords.This PR is to update the OIDC documents with mechanism and new properties in OIDC to configure JWK keys location (obtained according to documentation from the authorization server's metadata)
New properties:
apiml.security.oidc.jwks.uri: URL to the JWK keys endpoint.
apiml.security.oidc.jwks.refreshInternalHours: hours to refresh the JWK keys.
❤️Thank you!